DHS putting post-FISMA approach to cyber through a trial run

Jason Miller, executive editor, Federal News Radio

Agencies soon will be told to change the way they certify and accredit their
computer systems.

The Office of Management and Budget is drafting a memo to move agencies out of the
once every three-year process under the Federal Information Security Management
Act.

The goal of the memo is to implement the concept of ongoing authorizations as
outlined in the fiscal 2012 FISMA guidance sent to agencies in September.

In the document, OMB says agencies are expected to conduct
ongoing authorizations of information systems through the implementation of
continuous monitoring programs.

Jeff Eisensmith, chief information security officer, DHS

OMB says continuous monitoring programs fulfill the three-year security
reauthorization requirement, so a separate re-authorization process is not
necessary. In an effort to implement a more dynamic, risk-based security
authorization process, agencies should follow the guidance in NIST Special
Publication 800-37.

The Homeland Security Department is the first out of the gate in putting ongoing
authorizations into place.

"We have multiple components that are now running pilots with ongoing
authorization. It will be a three-month pilot," said Jeff Eisensmith, the DHS
chief information security officer, during a panel discussion Tuesday in
Washington sponsored by ACT-IAC. "At the end of that, I hope to have the artifacts
I will share with brethren, all the other departments who are thinking about doing
this. In the meantime, OMB has put out a draft that changes the playing field and
actually supports and embraces ongoing authorization. There is real change going
on here."

OMB didn't respond to a request for comment on the draft memo.

Government sources say CIOs and CISOs are reviewing it and there is no timetable
on when it could be released.

Real-time cyber health data

Meanwhile, DHS is conducting three pilots at its headquarters offices, at the
Citizenship and Immigration Services and at the Immigration and Customs
Enforcement components.

Eisensmith said the end goal is to give both the information security officers
(ISOs), risk management officers and the senior leaders enough information to make
decisions about the health of their networks.

"What ongoing authorization looks like is the ISOs are now head down, looking at
audit logs instead of creating paper. They are prosecuting the anomalies that are
coming at them," he said. "With continuous monitoring, the goal is to have a
dashboard out there that the ISO will look at. He or she can look at the top 10
bad boys every single day and say 'This is what I have to prosecute today.' The
risk executives will have an idea in a much more near-real time way of saying 'Can
I do that today? Should I push that patch off for two weeks or is my hair on fire
today?' That's the vision of the future and it's not that far off."

Eisensmith said ongoing authorizations create more consistent interactions between
the authorizing official, who is the person in the agency that signs off on the
system saying it meets the FISMA requirements, and the system owner, who's
responsible for keeping the system secure in the first place.

Eisensmith said some authorizing officials are looking at systems every two weeks,
usually because of a triggering event, meaning something about the system changed.

IG is on board

He said DHS has key support of OMB, the Government Accountability Office, the
National Institute of Standards and Technology and even the agency's Inspector
General to move to ongoing authorizations, which is a major reason they are able
to test this concept out.

"We partnered with the IG and explained our processes," Eisensmith said. "We asked
the IG for help to make this something they are comfortable with and able to
report on. The IG said we were right, the old paradigm isn't getting the job
done."

The move to ongoing authorizations is part of the broader implementation of
continuous monitoring and getting away from the historical approach to FISMA of
reauthorizing systems every three years.

Congress has tried to update FISMA several times over the past few years. The
House passed the latest
version last month. The Senate's attempt to modernize FISMA as part of a
comprehensive cyber bill has stalled.

So instead, OMB and DHS are changing FISMA through policy and regulation. For
example, the FISMA guidance is one way, as well as DHS issuing a continuous
monitoring policy last June.

As part of the effort to implement continuous monitoring, several agencies are
putting place the pieces that eventually will make up the process.

Closing the gaps

The Coast Guard brought together all 52 of its field offices a few months ago to
reach agreement on taking a few specific steps to secure its
networks.

Mark Powell, director of the command, control, communications, computers and IT service center, Coast Guard

Mark Powell, the Coast Guard's director of the command, control, communications,
computers and IT service center, said he believes ongoing authorizations are a
good idea and is following the pilots closely.

Powell said, in the mean time, the service wants to close its security gaps inside
its network.

"What we'll do is first of all is focus on configuration management. We've been
working with all the field units, identifying standard configuration, which ports
are open and which ports are blocked," he said. "We are ensuring that all the
systems attached to our network share that common configuration and we are able to
identify any devices that are out of configuration on the network."

Powell said the Coast Guard also will continue to implement host-based security
system software.

"We will ensure all of our devices have that installed on them and that we have
tuned that system so that we are getting accurate reports on what's happening on
the network and are able to identify any abnormalities that might occur," he said.

The third area the Coast Guard will focus on is network mapping and scanning.
Powell said the service no longer will just let employees hook up a system to the
network and secure it later. Instead, they are looking to find these rogue systems
and bring them into compliance.

Powell said the challenges the Coast Guard faces are not technology, but people.
He said the goal is to instill best practices across the service by holding people
more accountable than ever before.

Building in two-factor authentication

At the Citizen and Immigration Services, their focus is on identity management as
one way to improve cybersecurity.

Larry DeNayer, the chief information security officer for CIS, said the bureau is
in the middle of a transformation moving 90 paper-based processes online.

"This transformation initiative gives the perfect opportunity to use Identity,
Credential and Access Management as the model architecture to drive forward with
HSPD-12 implementation for internal customers and users," DeNayer said. "Also, as
we grow the external customer base, we can improve things like e-authentication,
two-factor authentication for customers that are out there in cyber and execute in
that fashion. In addition, we also see opportunity to tie identity management to
credential issuance, account set up and the whole account management process
that's associated with that and it's really going to help us with our physical and
logical access controls in that space."

DeNayer said these identity management tools will be integrated into systems as
they are upgraded and redeveloped using the agile methodology.

He said CIS is using agile development, where they create software in small
batches and on short time frames of a few weeks to a few months, and building in
security during each of these sprints, instead security being an afterthought or
something that is bolted on later.

The common theme among all the DHS components is security must be risk-based and
use a defense in-depth approach.